Tunneling AP traffic from SSID

Unanswered Question
Jul 18th, 2007

Hello all,

I have the following scenario and I would like to ask for advice.

We are designing a wireless network with "private" and "public" access. "Private" can access the Internet and the Intranet and "Public" can only access the Internet. After authentication we want to tunnel the traffic from the "Public" WLAN to a secure point, it could be a Firewall, an IPS or a Wireless Controller.

My understanding is that the scenario can be built using Light Access Points and Wireless Controllers by tunnelling the traffic of the SSID Public and Private from the AP to the Controller but I have found any configuration document to verify it.

Also, we would like to build a pilot with a single AP. In this case, it is possible to create a tunnel (may be GRE) between the AP and a FW or a router? Also for this pilot we would need an AP capable to work standalone or with a controller. Is the Cisco Aironet 1240G suitable for this?

Finally, any link about similar scenarios and how to configure them would be very appreciated.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
arturo_servin Thu, 07/19/2007 - 01:07

I forgot to mention that the Transport in the Enterprise Network is layer 3, so I cannot move VLANs through it. The last "hop" to setup a local vlan is the L2 switch that connects the AP.

That is why I would like to setup some kind of tunneling from the AP to the terminating point (a FW or a wireless controller).



shakeelahmadch Thu, 07/19/2007 - 04:36


i came across the same scenario, as it was a routing in between same facility, so i used VRF-Lite to keep the traffic seperated and pass on the traffic to firewall for internet.

i would realy like to see any practical configurations/answer to your post.

P.S: For what i can tell, you can have a Wireless controller card in your router i.e. 3700,3800 series and controller can then bridge the traffic to it. Sorry i haven't yet implemented it so no configurations.

arturo_servin Thu, 07/19/2007 - 07:30

We are also planning to implement VRF-lite with 4500 and 6500. Do you have any experiences or comments that you would like to share about VRF-lite?

I have found some change resistance with some other collegues in changing from classic VLAN to VRF, so any comments positive and negative would be great.



shakeelahmadch Thu, 07/19/2007 - 08:00

um its been a time we implemented this but if your plan & deisgn is good, it should not affect any thing .

the only thing negative i remmember was that - you can associate the interface with only one VRF (in some scenarios it affects your other applications).

You can use SVI for a specific VLAN (say wireless) and put your APs port in that VLAN. Then you'll need routed ports between your primary and secondary device (say router) to put traffic on. If you face any issue while implementation, i can rebuild the lab again - let me know about it.




This Discussion



Trending Topics - Security & Network